Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 May 2013 16:32:26 +0400
Subject: Re: Owl encrypted / and tcplay

On 04-May-2013 15:45:51 +0200, Zenny wrote:

 > Is there a way to encrypt Owl / with aes-xts-plain64 which can be
 > remotely authenticated remotely for decryption (like using dropbear
 > in initrd or mandos server-client mechanism in debian using hooks)?

No. And normally you don't need that.

When dealing with sensitive data, personally I prefer leaving bare
system at unencrypted / and /var, while keeping all the sensitive
data inside VZ containers stored at encrypted /home; when I reboot
the server, I wait for it to start and then issue the command like:

gpg < vzhost.key | ssh root@...ost.somewhere \
 "xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2"

(hint: `head -c128 /dev/random | xxd -p -c32 | gpg -ea > vzhost.key`
will provide you with secure encryption key).

After that, I go to vzhost.somewhere and issue two obvious commands:

mount /dev/loop0
service vz start

Please see the page for
instructions of how to set up secure data storage.

 > Also interested in tcplay, but would be nice to know to securely
 > integrated with Owl 3.0.

It uses devmapper, and thus is inacceptable due to its' ability to bury
all the data at once.

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.